← Back to context

Comment by AndyKelley

8 hours ago

Thank you for the kind words.

> every line of C/Zig is unsafe

This is trivially false... for instance here's a line:

    const pi = 3.14;

It's actually a pretty small subset of the language that can cause unchecked illegal behavior.

Also IMO the word "safety" should include integer overflow. I don't agree that those kind of bugs are so unimportant as to not be checked in safe builds.

1 comment

AndyKelley

Reply
hardwaresofton  6 hours ago

> Thank you for the kind words.

Absolutely, I meant them.

> This is trivially false... for instance here's a line:

Yep, that was really wrongly stated on my part -- what I meant is that the kind of protections that "safe" Rust provides are not available anywhere in average lines of Zig code (though they can be detected with tooling, etc).

What I should have written is that I could easily write unsafe code anywhere in Zig (as in C). In practice of course most people don't because they're not trying to destroy their own computers, and most code is benign. Rust will at least save me from myself some of the time.

> Also IMO the word "safety" should include integer overflow. I don't agree that those kind of bugs are so unimportant as to not be checked in safe builds.

Rust does do some work to catch trivial overflows, but you're right that it does not catch any slightly more complex overflows, and that is certainly unsafe in a sense. I don't think any reasonable person would disagree with that.

Rust's answer to this of course is checked_{op}/wrapping_{op}/etc options, and that's what I often see in high quality codebases where it matters. Of course, this is a footgun that could have had a safety applied and it's too late now (AFAIK) to change the default to be always wrapping or something (also, I think people may oppose always checked for perf reasons).

[EDIT] Just to compare/make this more concrete, playgrounds:

https://zig.fly.dev/p/LGnrBGXPlVJ

https://play.rust-lang.org/?version=stable&mode=release&edit...

Rust in this case of doing something obviously wrong is at least a little more helpful -- the obvious overflow does not compile.

And of course you can get rust to do it like it allows (and what would be present in any codebase with real complexity):

https://play.rust-lang.org/?version=stable&mode=release&edit...

It's just that little bit of safety that makes it easy for me (personally) to default to Rust. Very possible that someday that won't be true.

[EDIT2] Also, somewhat under-discussed, but if Zig supported a bolt-on a "safety check compile mode" that ran with some stricter (maybe not quite borrow checking level) semantics, that would be pretty dope. Of course not something anyone should devote any real time to for a long time (or ever?) BUT it would trivialize a lot of these discussions maybe.

But in the mean time people just using what they're comfortable with/the feel they want is obviously fine.